Microsoft® Office 365™ is proving popular and adoption continues to accelerate.
A recent Gartner study found that 78 percent of IT decision makers say their organization is already using or is planning to use Office 365. This is 13 percentage points ahead of what the same survey found in 2014.
The adoption numbers clearly indicate that Office 365 is a product the market is eager for. Microsoft is adding over 50,000 customers to Office 365 a month and has well over 60 million commercial users.
While the growth of Office 365 has been explosive, when I talk to CIOs and IT directors, I often hear from them a reminder that the risks facing on-premises environments don’t change when organizations move email to the cloud. The security threats remain and companies need to prepare for, and shield employees from, productivity crippling downtime.
The scale of the platform is massive but it is important to remember Office 365 depends on a number of technologies working in concert to provide a seamless service. In the case of email, this means that Microsoft Azure Active Directory (AD), Exchange Online Protection (EOP), archiving and the administration console must be always on and always accessible. If any of these services are disrupted or compromised, the result is stark, employees can’t send, receive or access email—and potentially worse, admins can’t control this critical communication platform for their business.
Mimecast experts have engaged in hundreds of Office 365 migrations and service implementations for companies of all sizes. As part of the process, we find that there are usually five key questions to ask during the migration process:
- Do I have a back-up plan if my email system goes down from cyber-attacks, human error or technical failure?
- How do I track outages and ensure I engage my vendors with the right language in the contract to cover my organization?
- If a system outage occurs, how do I respond in the most efficient way from a technical perspective?
- What other services can I use to ensure 100 percent uptime?
- Who within my organization do I need to brief prior to, during and after an outage occurs?
By answering these five questions, organizations can take a proactive approach before a system outage occurs and have a layered cyber resilience strategy to maintain productivity.
There will always be a give-and-take between the benefits and potential limitations of a move to the cloud so it is important to have the facts – as Microsoft Servers and Services MVP and author of “Conversational Office 365” J. Peter Bruzzese frequently says, “Don’t sleepwalk into the cloud.”
If you’d like to hear the answers to these questions and more about the best way to prepare for potential risks of Office 365 register today for the webinar, Cloud Outages Happen – Be Prepared, here.
There's a new threat in cybersecurity and it's aimed at the business world's biggest targets. The FBI estimates that Business Email Compromise (BEC) – CEO fraud or "whaling" - increased more than 270%.
The FT reports total potential global losses increased by $800 million in just six months. Also, Mimecast research found that 55% of companies experienced increased whaling attempts. Companies ranging from Ubiquiti Network to Snapchat have publicly admitted losing millions to these scams. What psychological and cultural factors make employees vulnerable to whaling and what can you do to prevent them?
Cyber criminals use sophisticated social engineering backed by meticulous research. It's easy to find information: Company websites provide executive names and biographies. Internal reporting relationships can be mapped on sites like LinkedIn.
How Do Criminals Conduct Their Research?
During whaling scams, a finance employee receives an email spoofed to look like it's coming from the CEO or CFO. The email requests a wire transfer and provides instructions for how to send it – usually confidentially or on short notice. An executive receives a request for information from a colleague that plays to their expertise. The requests look routine and convincing.
Cyber criminals use sophisticated social engineering backed by meticulous research. It's easy to find information: Company websites provide executive names and biographies. Internal reporting relationships can be mapped on sites like LinkedIn. Publicly traded companies sometimes even include bank names in their annual filings. Hackers' ability to put together a complete picture of the executive – including mining published articles and social updates for clues about communications styles – results in a very convincing portrayal.
The Employee-Side Psychology
Confusion and pressure: Confusion and pressure make employees more vulnerable to whaling scams. Requests from senior executives with confidentiality requests and short timelines don't leave room for follow-up. Considerable pressure – such as multiple emails and phone calls in a short time – amp up an employee's stress during the event.
Hierarchy and unwillingness to question authority: A cultural emphasis on efficiency and hierarchy leaves employees feeling like they'll get in trouble for verifying requests. Mid-level employees are often unwilling to challenge a request from the C-suite, especially when the request has been carefully targeted to look authentic.
The optimism bias: Harvard researcher Daniel Kahneman outlined a phenomenon called the optimism bias. People believe – despite knowing the risk – that they're less likely to be victims of a crime. Optimism leads you to believe the world is more benign than it really is, so when something looks fishy you chalk it up to non-harmful causes instead of asking questions.
Self-importance and ego: Whaling attacks geared at getting an executive to reveal information may play on ego and self-importance. From the desire to help to take pride in your expertise, flattery and genuine-sounding appeals for help play into your emotional vulnerabilities.
The Impact of Whaling Scams
Cybersecurity breaches don't just endanger your data. Beyond the financial impact, internal and external trust is eroded when your company falls for a whaling scam. There's the loss of money and brand damage to the public. An executive's reputation can be harmed. Employees who fall for whaling scams can find themselves out of a job; if not, their reputation's damaged, their judgment is questioned and there's always lingering concerns.
One executive who fell victim to a whaling scam noted in an interview with the BBC, "It's like when your house or apartment gets broken into. You feel vulnerable. People get into your life and they know things about you and you have no clue, and they take things from you."
Understanding the psychological factors that contribute to whaling scams can improve your efforts to combat them, from employee training to internal testing. The right tools can also help. Learn more about Mimecast's new Impersonation Protect service and how it can protect employees and financial assets from this type of fraud.
You think you’re prepared to deal with cybersecurity threats. But, what if your organization became the target of a whaling attack, spear-phishing or weaponized attachment? These are just a few methods hackers and cybercriminals use to steal confidential data, employee information and even cash. Are you confident that your corporate email can protect your organization from these insidious attacks?
To ensure you really are confident to cope with email-based attacks, you need to get in touch with your true IT security self. This can help you find out how much of an impact past experience with email attacks has on future preparedness, and whether or not your organization is dedicating enough of your IT budget to cybersecurity.
Don’t worry: we can help. Mimecast recently surveyed hundreds of IT security pros across the globe to get to the bottom of how they felt about email security preparedness. Those responses identified the gaps between how prepared they think their companies are against email threats, and how prepared they actually are. Based on this insight, we spotted five security “personas” of IT security pros, or ways of helping you self-identify with a group that shares your values:
- The Vigilant: This is less than one-fifth of IT security professionals. They demonstrate a high confidence in their ability to handle or defend against cyber threats, despite no experience with email hacks or data breaches.
- The Equipped Veterans: Approximately one-fifth of IT security professionals – they are confident in their cybersecurity and have dealt with attacks in the past.
- The Apprehensive: About one-third of IT security professionals – they have no experience with data breaches or hacks and do not feel confident in their level of preparedness.
- The Nervous: Less than one-tenth of IT security professionals – they feel completely ill-equipped to cope with the cyber threat.
- The Battle-Scarred: Just over one-quarter of IT security professionals – these have experienced a history of data breaches or email hacks, but still feel unprepared to defend themselves against attacks in the future.
Ready to find out your true IT security persona? Take our IT Security Persona Test now. Learn about your distinct personality type and tips to boost your confidence.
Mimecast welcomes a new bill designed to protect emails and other electronic communications.
Can you remember the world in 1986? Aliens, Top Gun and Labyrinth were on at the movies and brick phones weighed the same as a bag of sugar.
The Electronic Communications Privacy Act was also enacted by the United States Congress. This ancient legislation allows law enforcement to search through emails, instant messages and photos stored in the cloud once they are 180 days old.
Back then, emails stored on a third party server for six months were considered by the law to be abandoned. This allows law enforcement agencies to obtain the data with just a written statement certifying that the information is relevant to an investigation, without judicial review.
Thirty years later and business archiving requirements, cloud technology and public opinion has moved things on considerably.
Today, we are proud that approximately 16,200 organizations and millions of their employees from around the world have entrusted their email and data to Mimecast. We process more than 180 million emails per day and our customers look to us to protect them from cybercriminals, outage and unwarranted government snooping.
The new Email Privacy Act (H.R. 699), passed unanimously by the U.S. House of Representatives, will require the government to get a warrant from a judge before obtaining private communications and documents stored online.
Email has gone from being just a communication platform to probably the greatest single repository of corporate knowledge any organization holds. Almost all corporate activity, discussion or ideas touch email at some point.
Due process should apply in digital world now more than ever before.
Our customers use Mimecast to improve the security, reliability and archiving capabilities of their own email servers or primary cloud email service. We take our responsibility to protect their email and the petabytes of business information this includes very seriously.
Public opinion is on the side of fair and reasonable control of law enforcement and government in this regard to protect the right of the individual to privacy.
This is a clarion call for governments around the world to continue to modernise law-making in wake of the unstoppable rise of cloud computing services. Laws written in the analogue and desktop computing age need rethinking for the cloud era.
Email is the bedrock of modern day communication and deserves up-to-date protection enshrined in legislation. This bill is a step in the right direction to further protect citizens’ private historical data held in the cloud from unreasonable intrusion.